enterprise level
play

Enterprise-Level Network Traffic Analysis and Security Monitoring - PowerPoint PPT Presentation

Jan 17, 2024 •471 likes •959 views

Enterprise-Level Network Traffic Analysis and Security Monitoring Martin Arlitt and Carey Williamson Department of Computer Science University of Calgary Outline Introduction (Carey: 20 minutes) Internet TCP/IP protocol stack

  1. Enterprise-Level Network Traffic Analysis and Security Monitoring Martin Arlitt and Carey Williamson Department of Computer Science University of Calgary

  2. Outline ▪ Introduction (Carey: 20 minutes) — Internet TCP/IP protocol stack — Network traffic measurement — Basic tools: tcpdump, wireshark ▪ Network Security Analysis (Martin: 20 minutes) — Principles and approaches — Advanced tools: Endace DAG, Bro (Zeek) IDS, Vertica — U of C network traffic overview and challenges ▪ U of C Case Study: Part 1 (Carey: 20 minutes) — Examples of normal and abnormal (malicious) traffic ▪ U of C Case Study: Part 2 (Martin: 20 minutes) — More examples of malicious traffic ▪ Q&A 2

  3. Background Review: Internet Protocol Stack (see [5]) ▪ Application: supports end-user services and network applications — HTTP, SMTP, DNS, FTP, NTP Application ▪ Transport: end to end data transfer — TCP, UDP Transport ▪ Network: routing of datagrams from source to destination Network — IPv4, IPv6, BGP, RIP Data Link ▪ Data Link: channel access, framing, flow/error control, hop by hop basis Physical — PPP, Ethernet, IEEE 802.11b WiFi ▪ Physical: transmission of bits 001101011... 3

  4. Network Traffic Measurement (see [2][7][8]) ▪ A focus of networking research for 30+ years ▪ Collect datasets or traces showing packet-level activity on the network for different applications ▪ Why? — Understand the traffic on existing networks (see [9]) — Workload characterization and modeling — Develop models of traffic for future networks — Performance evaluation of protocols and applications — Protocol debugging — Network security monitoring (see [6]) 4

  5. Requirements ▪ Network traffic measurement requires hardware or software measurement tools that attach directly to network ▪ Allows you to observe all packet traffic on the network (or a filtered subset for traffic of interest) ▪ Assumes broadcast-based network technology, superuser permission 5

  6. Network Packet Structure Protocol Headers Payload (Control Information) Src HTTP/1.0 200 OK SrcIP SrcPort 80 12:BD:07: Content-Type: text 372.19.44.108 DstPort 2579 AF:B0:6E Content-Length: 4732 DstIP SeqNum 61842 <html> Dst 136.159.99.114 ACK 3756812 Welcome to Sponge Bob’s home page! < br> 37:F9:14: On this site, there are lots of fun activities for you: colouring FD:C1:08 Length 1500 Window 8192 pages, bath time singalongs, and more. CRC <p> Flags: PA 0xFC147E Please click <a> <href =“./signup.html”> here </a> to learn more about membership accounts and... DataLink Transport Network Payload (User Level Data) Layer Layer Layer Header Header Header (e.g., WiFi, (e.g., TCP) (e.g., IP) Ethernet) 6

  7. Measurement Approaches (1 of 3) ▪ Can be classified into hardware and software measurement tools (see [4][8]) ▪ Hardware: specialized equipment — Examples: HP 4972 LAN Analyzer, DataGeneral Network Sniffer, NavTel InterWatch 95000, Endace DAG, others... — These are faster, but more expensive ($$$) ▪ Software: special software tools — Examples: tcpdump, ethereal, wireshark, SNMP, others... — These are cheaper (free!), but also slower (miss packets) 7

  8. Measurement Approaches (2 of 3) ▪ Measurement tools can also be classified as active or passive ▪ Active: the monitoring tool generates traffic of its own during data collection (e.g., ping, traceroute) ▪ Passive: the monitoring tool is passive, observing and recording traffic info, while generating none of its own (e.g., tcpdump, wireshark, airopeek) 8

  9. Measurement Approaches (3 of 3) ▪ Measurement tools can also be classified as real- time or non-real-time ▪ Real-time: collects traffic data as it happens, and may even be able to display traffic info as it happens, for real-time traffic management ▪ Non-real-time: collected traffic data may only be a subset (sample) of the total traffic, and is analyzed off-line (later), for detailed analysis 9

  10. Basic Tools for Network Traffic Measurement ▪ tcpdump https://www.tcpdump.org — Unix-based tool from mid-to- late 1980’s — Distributed with BSD Unix (Berkeley Software Distribution) — Command-line interface; must be root to run it — Uses the Berkeley Packet Filter (BPF) in operating system — Writes to a PCAP file format; uses libpcap library ▪ Wireshark https://www.wireshark.org — PC- based tool from the early 2000’s — Formerly called Ethereal (name change in May 2006) — Free and open-source tool — Multi-layer visualization and analysis of packet traces — Also supports PCAP file format 10

  11. Example: tcpdump Time IP Source Addr IP Dest Addr Size Prot SPort DPort TCP Data SeqNumber TCP AckNum Window Flags 0.000000 192.168.1.201 -> 192.168.1.200 60 TCP 4105 80 1315338075 : 1315338075 0 win: 5840 S 0.003362 192.168.1.200 -> 192.168.1.201 60 TCP 80 4105 1417888236 : 1417888236 1315338076 win: 5792 SA 0.009183 192.168.1.201 -> 192.168.1.200 52 TCP 4105 80 1315338076 : 1315338076 1417888237 win: 5840 A 0.010854 192.168.1.201 -> 192.168.1.200 127 TCP 4105 80 1315338076 : 1315338151 1417888237 win: 5840 PA 0.014309 192.168.1.200 -> 192.168.1.201 52 TCP 80 4105 1417888237 : 1417888237 1315338151 win: 5792 A 0.049848 192.168.1.200 -> 192.168.1.201 1500 TCP 80 4105 1417888237 : 1417889685 1315338151 win: 5792 A 0.056902 192.168.1.200 -> 192.168.1.201 1500 TCP 80 4105 1417889685 : 1417891133 1315338151 win: 5792 A 0.057284 192.168.1.201 -> 192.168.1.200 52 TCP 4105 80 1315338151 : 1315338151 1417889685 win: 8688 A 0.060120 192.168.1.201 -> 192.168.1.200 52 TCP 4105 80 1315338151 : 1315338151 1417891133 win: 11584 A 0.068579 192.168.1.200 -> 192.168.1.201 1500 TCP 80 4105 1417891133 : 1417892581 1315338151 win: 5792 PA 0.075673 192.168.1.200 -> 192.168.1.201 1500 TCP 80 4105 1417892581 : 1417894029 1315338151 win: 5792 A 0.076055 192.168.1.201 -> 192.168.1.200 52 TCP 4105 80 1315338151 : 1315338151 1417892581 win: 14480 A 0.083233 192.168.1.200 -> 192.168.1.201 1500 TCP 80 4105 1417894029 : 1417895477 1315338151 win: 5792 A 0.096728 192.168.1.200 -> 192.168.1.201 1500 TCP 80 4105 1417896925 : 1417898373 1315338151 win: 5792 A 0.103439 192.168.1.200 -> 192.168.1.201 1500 TCP 80 4105 1417898373 : 1417899821 1315338151 win: 5792 A 0.103780 192.168.1.201 -> 192.168.1.200 52 TCP 4105 80 1315338151 : 1315338151 1417894029 win: 17376 A 0.106534 192.168.1.201 -> 192.168.1.200 52 TCP 4105 80 1315338151 : 1315338151 1417898373 win: 21720 A 0.133408 192.168.1.200 -> 192.168.1.201 776 TCP 80 4105 1417904165 : 1417904889 1315338151 win: 5792 FPA 0.139200 192.168.1.201 -> 192.168.1.200 52 TCP 4105 80 1315338151 : 1315338151 1417904165 win: 21720 A 0.140447 192.168.1.201 -> 192.168.1.200 52 TCP 4105 80 1315338151 : 1315338151 1417904890 win: 21720 FA 0.144254 192.168.1.200 -> 192.168.1.201 52 TCP 80 4105 1417904890 : 1417904890 1315338152 win: 5792 A Flow summary (e.g., NetFlow record or Bro connection log entry): 0.000000 192.168.1.201 4105 192.168.1.200 80 0.144254 10 77 11 16654 SF 11

  12. Example: wireshark 12

  13. Some Technical Challenges ▪ Speed: — Real-time collection/analysis at network link speeds — Sheer volume of traffic on an enterprise-level network ▪ Information collection: — Headers only versus full payloads — Flow-level versus packet-level analysis ▪ Storage: — Short-term versus long-term data collection ▪ Miscellaneous: — Middleboxes (NAT, DHCP, VPN, firewalls); WiFi; IP subnets — End-to-end encryption (HTTPS, TLS, SSL) (see [1]) 13

  14. Outline ▪ Introduction (Carey: 20 minutes) — Internet TCP/IP protocol stack — Network traffic measurement — Basic tools: tcpdump, wireshark ▪ Network Security Analysis (Martin: 20 minutes) — Principles and approaches — Advanced tools: Endace DAG, Bro (Zeek) IDS, Vertica — U of C network traffic overview and challenges ▪ U of C Case Study: Part 1 (Carey: 20 minutes) — Examples of normal and abnormal (malicious) traffic ▪ U of C Case Study: Part 2 (Martin: 20 minutes) — More examples of malicious traffic ▪ Q&A 14

  15. Guiding Principle #1 “Know your enemy and yourself.” Sun Tzu General and Military Strategist (Ancient China) “Organizations know which technologies they intended to use on their network; hackers/nation states know which technologies are actually in use on that network.” Rob Joyce Tailored Access Operations National Security Agency (USENIX Enigma Conference 2016) 15

  16. Guiding Principle #2 “All models are wrong, but some are useful.” -George Box, Statistician (1919-2013) 1. Acquire 5. Act 2. Deliver 4. Interpret 3. Accept “Sequence of effective intelligence operations” 16 (or “Intelligence lifecycle”)

  17. Guiding Principle #3 “Anything that can go wrong will go wrong.” - Murphy’s Law This applies to all stages of the intelligence lifecycle, but it is especially applicable to data collection. 17

  18. Guiding Principle #4 “A small leak will sink a great ship.” -Benjamin Franklin Security analytics is like searching for needles in a giant haystack. 18 (Vertica is a great tool for doing this)

  19. An Analogy: Power Signals ▪ Disaggregating an aggregation of signals G. Hart, “Nonintrusive Application Load Monitoring”, Proceedings of the IEEE, 1992. 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Status of Initiatives 10. Eliminate unnecessary duplication at Enterprise level and reassign to

Status of Initiatives 10. Eliminate unnecessary duplication at Enterprise level and reassign to

Status of Initiatives 10. Eliminate unnecessary duplication at Enterprise level and reassign to the universities COMPLETED 12. Establish public corporations COMPLETED 13. Centralize functions at Enterprise level to enhance efficiency

211 views • 8 slides
Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a

Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a

Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a wholesale distribution business providing complete range of Electronic Security Systems Kamlesh 093232 51184 Adit Enterprise Adit Enterprise Adit

619 views • 29 slides
Enterprise Applications Enterprise Systems Enterprise Systems Also called enterprise

Enterprise Applications Enterprise Systems Enterprise Systems Also called enterprise

9/20/2012 Enterprise Applications Enterprise Systems Enterprise Systems Also called enterprise resource planning (ERP) systems Suite of integrated software modules and a common central database Collects data from many

460 views • 16 slides
Multi-Level Modeling with XML Dr. Jens Gulden Information Systems and Enterprise Modeling, ICB

Multi-Level Modeling with XML Dr. Jens Gulden Information Systems and Enterprise Modeling, ICB

5 th International Workshop on Multi-Level Modeling MULTI 2018 Copenhagen, October 16, 2018 Multi-Level Modeling with XML Dr. Jens Gulden Information Systems and Enterprise Modeling, ICB Institute for Computer Science and Business

311 views • 16 slides
Developing enterprise level infrastructure and governance for data sharing Jessie Tenenbaum, PhD

Developing enterprise level infrastructure and governance for data sharing Jessie Tenenbaum, PhD

Developing enterprise level infrastructure and governance for data sharing Jessie Tenenbaum, PhD NC Health &amp; Human Services Amy Hawn Nelson, PhD Actionable Intelligence for Social Policy, UPenn August 2020 Department Overview Led by

309 views • 15 slides
Painless Transition From SW- Painless Transition From SW- CMM Level 2 to CMMI Level 3 CMM Level

Painless Transition From SW- Painless Transition From SW- CMM Level 2 to CMMI Level 3 CMM Level

Painless Transition From SW- Painless Transition From SW- CMM Level 2 to CMMI Level 3 CMM Level 2 to CMMI Level 3 Ruth Berggren Ruth Berggren EDS EDS EIT, Enterprise Processes and Solutions EIT, Enterprise Processes and Solutions Agenda

744 views • 30 slides
Whats on Offer Will Prentice from Robert Smyth Academy studied Enterprise at Leicester

Whats on Offer Will Prentice from Robert Smyth Academy studied Enterprise at Leicester

Whats on Offer Will Prentice from Robert Smyth Academy studied Enterprise at Leicester College? Vocational Courses e.g. BTECs GCSEs/Functional Skills and Study Programmes Apprenticeships Entry Level - Level 5 courses Full

551 views • 31 slides
SOLID is Solid Enterprise principles in OOP architectural design-phase pattern-level constructs

SOLID is Solid Enterprise principles in OOP architectural design-phase pattern-level constructs

SOLID is Solid Enterprise principles in OOP architectural design-phase pattern-level constructs Hillel Wayne SOLID Single responsibility Openclosed principle Liskov substitution principle Interface segregation principle

490 views • 45 slides
EAP ATAM and Collaboration at the Enterprise Level Evaluating Software Architecture ATAM The

EAP ATAM and Collaboration at the Enterprise Level Evaluating Software Architecture ATAM The

EAP ATAM and Collaboration at the Enterprise Level Evaluating Software Architecture ATAM The Architecture Trade-off Analysis Method n Evaluating software architecture Determines if the architecture meets the business drivers One of its

148 views • 11 slides
Pushing Enterprise Software to the Next Level Self-contained Web Applications on In-Memory

Pushing Enterprise Software to the Next Level Self-contained Web Applications on In-Memory

Pushing Enterprise Software to the Next Level Self-contained Web Applications on In-Memory Platforms MICHA NOSEK Who am I? Micha Nosek Software Engineer, Sales Engineer Starcounter http://starcounter.com Twitter:

999 views • 47 slides
Enterprise Architecture: The Next 20 Years Dr. John Gtze Enterprise Architecture? A

Enterprise Architecture: The Next 20 Years Dr. John Gtze Enterprise Architecture? A

Enterprise Architecture: The Next 20 Years Dr. John Gtze Enterprise Architecture? A discipline A profession A mindset EA s purpose: Line of sight Strategy Technology Business 4 EA = The analysis and documentation of an enterprise

607 views • 60 slides
Pushing Enterprise Software to the Next Level Self-contained Web Applications on In-Memory

Pushing Enterprise Software to the Next Level Self-contained Web Applications on In-Memory

Pushing Enterprise Software to the Next Level Self-contained Web Applications on In-Memory Platforms Micha Nosek Starcounter AB Who am I? Micha Nosek Software Engineer, Technical Sales Engineer Starcounter

729 views • 46 slides
SNMPc 8 SNMPc SNMPc Workgroup 8.0 Entry level stand alone Network Management System for

SNMPc 8 SNMPc SNMPc Workgroup 8.0 Entry level stand alone Network Management System for

Your Network Management Partner SNMPc 8 SNMPc SNMPc Workgroup 8.0 Entry level stand alone Network Management System for small networks SNMPc Enterprise 8.0 Enterprise class Network Management System capable of managing tens

600 views • 35 slides
Enterprise 2.0 impact on software development Martin Nally, CTO IBM Rational What is Enterprise

Enterprise 2.0 impact on software development Martin Nally, CTO IBM Rational What is Enterprise

Enterprise 2.0 impact on software development Martin Nally, CTO IBM Rational What is Enterprise 2.0? Enterprise 2.0 is the term for the technologies and business practices that liberate the workforce from the constraints of legacy

378 views • 36 slides
Division on Investment and Enterprise UNCTAD The views expressed are those of the author and do

Division on Investment and Enterprise UNCTAD The views expressed are those of the author and do

INVESTMENT, ENTERPRISE AND DEVELOPMENT COMMISSION 7 th Session Palais des Nations, Geneva 20 April 2015 Recent Trends and Policies in Investment and Enterprise Development Statement by James Zhan Director Division on Investment and Enterprise

108 views • 10 slides
Knowledge management RITA KUMAR, MBA, MS. BRIDGE CONSULTING GROUP LLC What is Knowledge 2

Knowledge management RITA KUMAR, MBA, MS. BRIDGE CONSULTING GROUP LLC What is Knowledge 2

Knowledge management RITA KUMAR, MBA, MS. BRIDGE CONSULTING GROUP LLC What is Knowledge 2 Management KM Maturity Assessment Level 5- Leading Level 4- Advanced KM is fully Level 3- Enterprise KM in integrated and Establisbished place

512 views • 6 slides
Introduction FreeBSD: Research results: incremental development democracy can be very

Introduction FreeBSD: Research results: incremental development democracy can be very

Introduction FreeBSD: Research results: incremental development democracy can be very efficient (delegation of authority) and democratic organization &quot;see bug, fix bug, see bug fixed&quot; is highly motivating Why FreeBSD ?

311 views • 7 slides
CS615 - Aspects of System Administration Department of Computer Science Stevens Institute of

CS615 - Aspects of System Administration Department of Computer Science Stevens Institute of

CS615 - Aspects of System Administration Slide 1 CS615 - Aspects of System Administration Department of Computer Science Stevens Institute of Technology Jan Schaumann jschauma@stevens.edu https://www.cs.stevens.edu/~jschauma/615/ Lecture 01:

1.64k views • 130 slides
Bayesian inference &amp; Markov chain Monte Carlo Note 1: Many slides for this lecture were kindly

Bayesian inference &amp; Markov chain Monte Carlo Note 1: Many slides for this lecture were kindly

Bayesian inference &amp; Markov chain Monte Carlo Note 1: Many slides for this lecture were kindly provided by Paul Lewis and Mark Holder Note 2: Paul Lewis has written nice software for demonstrating Markov chain Monte Carlo idea. Software is

832 views • 31 slides
SSI-OSCAR Single System Image - Open Source Cluster Application Resources Geoffroy Valle,

SSI-OSCAR Single System Image - Open Source Cluster Application Resources Geoffroy Valle,

2006 OSCAR Symposium St. John's, Newfoundland, Canada May 17, 2006 SSI-OSCAR Single System Image - Open Source Cluster Application Resources Geoffroy Valle, Thomas Naughton and Stephen L. Scott

1.25k views • 97 slides
CS 268: Lecture 19 (Application Level Multicast) Ion Stoica March 22, 2001 (* Thanks to

CS 268: Lecture 19 (Application Level Multicast) Ion Stoica March 22, 2001 (* Thanks to

CS 268: Lecture 19 (Application Level Multicast) Ion Stoica March 22, 2001 (* Thanks to Yang-hua et al for making their slides available) Key Concerns with IP Multicast Scalability with number of groups - Routers need to

720 views • 15 slides
Sage: Open Source Mathematical Software http://www.sagemath.org William Stein 1 1 Department of

Sage: Open Source Mathematical Software http://www.sagemath.org William Stein 1 1 Department of

Sage: Open Source Mathematical Software http://www.sagemath.org William Stein 1 1 Department of Mathematics University of Washington, Seattle January 14, 2010 Sage: Creating a viable free open source alternative to Magma, Maple, Mathematica,

324 views • 13 slides
Triquetrum: Models of Computation for Workflows Christopher Brooks, University of California,

Triquetrum: Models of Computation for Workflows Christopher Brooks, University of California,

Triquetrum: Models of Computation for Workflows Christopher Brooks, University of California, Berkeley Erwin De Ley, iSencia, Belgium EclipseCon NA 2016 Reston, VA March 8, 2016 Triquetrum : Models of Concurrent Computation for Workflow

939 views • 46 slides
The Ultimate Debian Database Consolidating Bazaar Metadata for Quality Assurance and Data Mining

The Ultimate Debian Database Consolidating Bazaar Metadata for Quality Assurance and Data Mining

The Ultimate Debian Database Consolidating Bazaar Metadata for Quality Assurance and Data Mining Lucas Nussbaum and Stefano Zacchiroli LORIA, University of Nancy, France Universit Paris Diderot, PPS, France Lucas Nussbaum and

401 views • 21 slides

More recommend